Appendix B - RFCs in Development

The following are RFCs which will be pertinent to this standard but are currently under development:

Description

High Level view

Chain Grant Type for OAuth2

A method by which an OAuth protected service, can use a received OAuth token from its client, and in turn act as a client and access another OAuth protected service in a 'chained' profile.

Authentication Method Reference Values

Establishing a registry for Authentication methods:

  • Retina Scan
  • Facial Recognition
  • Fingerprints
  • Geolocation information
  • Proof of possession of a hardware key
  • Knowledge based authentication
  • Multi-channel authentication
  • Multi-factor authentication
  • One-time password
  • Personal Identification Number
  • Password based
  • Risk Based
  • SMS confirmation messages
  • Proof of possession of a software key
  • Confirm by telephone
  • User presence test
  • Voice biometrics
  • Windows integration

Closing Open Redirectors in OAuth

Phishing attack on failed redirection from the Authorisation Server.

OAuth 2.0 Authorization Server Discovery Metadata

Discovery of endpoints and authorisation server capability.

OAuth 2.0 JWT Authorization Request

Send request parameters in the form of JWTs rather than encoded in the request URI.

OAuth 2.0 Mix-Up Mitigation

To address Malicious Endpoint attacks.

OAuth 2.0 for Native Apps

This RFC recommends external user-agents like in-app browser tabs as the only secure and usable choice for OAuth, rather than embedded user-agents.

A Method for Signing HTTP Requests for OAuth

A method for offering data origin authentication and integrity protection for HTTP requests.

OAuth 2.0 Token Exchange

Defines a protocol for a lightweight HTTP and JSON based Security Token Service (STS) – covering requesting of tokens from an Authorisation Server.

OAuth 2.0 Message Authentication Code (MAC) Tokens

A proposal to use MAC Tokens in HTTP requests to access OAuth 2.0 protected resources.

OAuth 2.0 Authorization Server Discovery Metadata

Discovery of endpoints and authorisation server capability.

OAuth 2.0 Proof-of-Possession (PoP) Security Architecture

The proposal of the development of the OAuth 2.0 proof-of-possession security mechanism.

Page last updated: 19/12/2016